Lets isolate a process with no container like docker

Let’s isolate a
process with no
container.

Let’s isolate a
process with no
container.
Readable example with code and explanation:
welcometothebundle.com/isolate-a-process-with-no-container-like-docker

@liuggiowelcometothebundle.com

What is a
Container?
@liuggio Giulio De Donato

“I once heard that hypervisors
are the living proof of operating
system's incompetence”
-- Glauber Costa's - LinuxCon Europe 2012

... containers ...
“I would love to say months,
but let's get realistic”
-- Glauber Costa's - LinuxCon Europe 2012

Is all about
ISOLATION

chroot
?

while true;
do mkdir x; cd x;
done
bomb() {
bomb | bomb &
}; bomb
Attacks

GOAL OF
TODAY:
http://9gag.com/gag/aGxbmGz
namespace cgroups ufs

LXC vs DOCKER

Let’s start with the first set of slides
Once upon a time ...

NAMESPACE
Linux 2.6.23 (released in late 2007)
6 namespaces
- mnt (mount points, filesystems)
- pid (processes)
- net (network stack)
- ipc (System V IPC)
- uts (hostname)
- user (UIDs)
Namespaces started in about
2002.

Namespaces processes API
consists of these 3 system calls:
● clone() - creates a new process and a new namespace; the
newly created process is attached to the new namespace
● unshare()–gets only a single parameter, flags. Does not create a
new process; creates a new namespace and attaches the calling
processto it.
● setns()- a new system call, for attaching the calling process to
an existing namespace;

DEMO
Namespace
https://gist.github.com/liuggio/
114f506fbe040ac93687dc797b923cbf
1

CGroups!
The cgroup (control groups) subsystem is a Resource Management and Resource
Accounting/Tracking solution, providing a generic process - grouping framework
It handles resources such as memory, cpu, network, and more;
mostly needed in both ends of the spectrum (servers and embedded).
∎ Development was started by engineers at Google in 2006 under the name "process containers”
∎ Merged into kernel 2.6.24 (2008).
∎ cgroup core has 3 maintainers, and each cgroup controller has its own maintainer (cpu memory io)

DEMO
CGROUPS
https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ym
or https://goo.gl/NyPMFJ
3

THIS IS A TREE

WHAT IS IT?

DEMO
UFSapt-get install aufs-tools
https://asciinema.org/~liuggio
https://asciinema.org/a/41778
2

Union File System
PRO
- File level
- No caches
CONS
- Bad performance for big files
- Not in kernel
- Too much layers costs
● merge into a single directory 2 devices
● Combining a large, read-only file system with small write area (like livecd)

ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs).
ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background.
● snapshots
● copy-on-write cloning
● continuous integrity checking against data corruption
● automatic repair
● efficient data compression
2016

UFS
CGROUPS
namespace

THANKS!

∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker
∎ https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces
∎ https://www.opencontainers.org/news/faqs/who-will-be-initial-technical-leadership
∎ http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/
∎ http://s0.cyberciti.org/uploads/faq/2013/01/bash-chroot-ls-demo.gif
∎ https://www.flockport.com/lxc-vs-docker/
∎ http://ramirose.wix.com/ramirosen
∎ https://lwn.net/Articles/532593/
∎ https://docs.docker.com/engine/reference/run/
∎ http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf
∎ https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/
∎ https://skillsmatter.com/skillscasts/7101-building-containers-from-scratch-for-fun-and-profit
∎ https://docs.oracle.com/cd/E18752_01/html/817-5093/bkupsnapshot-9.html
∎ https://www.flickr.com/photos/15514374@N05/10164384915/in/photolist-guc8vM-eUsLmk-bUx1od-snDG6D-4EdN6w-dRNW5S-92a5Rc-bqLMQX-9W8h5y-b4nUUZ-qBTHgX-qP1gRX-
bjCEPC-9tmmnk-eiz69R-dUwHXM-ff6xuP-J1cvu-7FC9CK-5QNat5-sniS97-dmWZqi-9FJL3F-e5QKNc-oaepa3-dHcamQ-4EJPTP-eB42Pm-aywhxM-eSZ6Gv-jhYq8x-cXnWtd-6HXxUg-8ZKp87-
5BL32d-7g3EHP-4gc756-cBECqo-oBFK5Y-9fUMLY-e7z58s-oViSZU-pKrEsE-6J2D5b-6HXwrz-6HXxt8-9k3DeV-9k6CLy-qFGW5B-hrxHnf
∎ https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/
∎ https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/
∎ Presentation template by SlidesCarnival
CREDITS

FATTI UN
CONTAINER
TUTTO TUO!! @liuggio Giulio De Donato

Have you ever heard about this?
- What is
- Who
- Why

Lets isolate a process with no container like docker

More Related Content

What's hot (20)

Similar to Lets isolate a process with no container like docker (20)

More from Giulio De Donato (11)

Recently uploaded (20)

Lets isolate a process with no container like docker